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I. Review the SMALL ENTITY status shown above. 

If the SMALL ENTITY is shown as YES, verify your current 
SMALL ENTITY status: 

A. If the status is the same, pay the TOTAL FEE(S) DUE shown 
above. 
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Fee(s) Transmittal and pay the PUBLICATION FEE (if required) 
and twice the amount of the ISSUE FEE shown above, or 
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III. All communications regarding this application must give the application number. Please direct all communications prior to issuance to 
Mail Stop ISSUE FEE unless advised to the contrary. 

IMPORTANT REMINDER: Utility patents issuing on applications filed on or after Dec. 12, 1980 may require payment of 
maintenance fees. It is patentee's responsibility to ensure timely payment of maintenance fees when due. 
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PART B - FEE(S) TRANSMITTAL 

Complete and send this form, together with applicable fee(s), to: Mail Mail Stop ISSUE FEE 

Commissioner for Patents 
P.O. Box 1450 

Alexandria, Virginia 22313-1450 
or Fax (571)-273-2885 
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FLIESLER MEYER LLP 
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Note: A certificate of mailing can only be used for domestic mailings of the 
Fee(s) Transmittal. This certificate cannot be used for any other accompanying 
papers. Each additional paper, such as an assignment or formal drawing, must 
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Certificate of Mailing or Transmission 
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Determination of Patent Term Adjustment under 35 U.S.C. 154 (b) 

(application filed on or after May 29, 2000) 

The Patent Term Adjustment to date is 659 day(s). If the issue fee is paid on the date that is three months after the 
mailing date of this notice and the patent issues on the Tuesday before the date that is 28 weeks (six and a half 
months) after the mailing date of this notice, the Patent Term Adjustment will be 659 day(s). 

If a Continued Prosecution Application (CPA) was filed in the above-identified application, the filing date that 
determines Patent Term Adjustment is the filing date of the most recent CPA. 

Applicant will be able to obtain more detailed information by accessing the Patent Application Information Retrieval 
(PAIR) WEB site (http://pair.uspto.gov). 
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directed to the Customer Service Center of the Office of Patent Publication at l-(888)-786-0101 or 
(571)-272-4200. 
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09/878,536 


PATRICK, PAUL 


Examiner 


Art Unit 
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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 

All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1 308. 

1 . K| This communication is responsive to 1/1 5/08 . 

2. The allowed claim(s) is/are 1,2,4,6,7,10-12,18,19,21,23,24,27-29,42 and 43 . 

3. □ Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a) DAN b)DSome* c) □ None of the: 

1. D Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. O Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
THIS THREE-MONTH PERIOD IS NOT EXTENDABLE. 

4. □ A SUBSTITUTE OATH OR DECLARATION must be submitted. Note the attached EXAMINER'S AMENDMENT or NOTICE OF 

INFORMAL PATENT APPLICATION (PTO-152) which gives reason(s) why the oath or declaration is deficient. 

5. □ CORRECTED DRAWINGS ( as "replacement sheets") must be submitted. 

(a) □ including changes required by the Notice of Draftsperson's Patent Drawing Review ( PTO-948) attached 

1) □ hereto or 2) □ to Paper No./Mail Date . 

(b) □ including changes required by the attached Examiner's Amendment / Comment or in the Office action of 

Paper No./Mail Date . 

Identifying indicia such as the application number (see 37 CFR 1.84(c)) should be written on the drawings in the front (not the back) of 
each sheet. Replacement sheet(s) should be labeled as such in the header according to 37 CFR 1.121(d). 

6. □ DEPOSIT OF and/or INFORMATION about the deposit of BIOLOGICAL MATERIAL must be submitted. Note the 

attached Examiner's comment regarding REQUIREMENT FOR THE DEPOSIT OF BIOLOGICAL MATERIAL. 



Attachment(s) 

1 . □ Notice of References Cited (PTO-892) 

2. □ Notice of Draftperson's Patent Drawing Review (PTO-948) 

3. □ Information Disclosure Statements (PTO/SB/08), 

Paper No./Mail Date 

4. □ Examiner's Comment Regarding Requirement for Deposit 

of Biological Material 



5. Q Notice of Informal Patent Application 

6. □ Interview Summary (PTO-413), 

Paper No./Mail Date . 

7. £3 Examiner's Amendment/Comment 

8. £3 Examiner's Statement of Reasons for Allowance 

9. □ Other . 
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EXAMINER'S AMENDMENT 

An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1 .312. 
To ensure consideration of such an amendment, it MUST be submitted no later than the payment 
of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview with 
Thomas Plunkett (Reg. No. 57,253) on 4/2/08. The amendments were to move up allowable 
subject matter from the dependent claims into the independent claims to place the application in 
condition for allowance. As per MPEP 713.04 a separate interview summary form is not provided 
as the substance of the interview has been summarized herein. 

The application has been amended as follows: 
IN THE CLAIMS: 

1. (Currently Amended): A security system for allowing a client to access a protected 
resource through an application container, the security system comprising: 

the application container, which provides services for a protected resource, wherein the 
application container delegates authorization decisions to a security service by passing an 
access request and a callback handler to the security service when the application container 
receives the access request for a protected resource from the client; 

context information, wherein the context information comprises one or more parameter 
values describing the access request, identity of the protected resource, and profile information 
describing the client; 
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the security service for making a decision to permit or deny the access request, wherein 
a plurality of security plug-ins that implement an access decision interface are plugged into the 
security service, and wherein the plurality of security plug-ins use the callback handler to 
request the context information from the application container for the access request, and 
wherein the plurality of security plug-ins determine roles for which the client is entitled, and 
wherein association of the client to roles is computed dynamically at runtime, and wherein 
each of the plurality of security plug-ins determines a contributory decision selected from a 
group comprising: permit, deny, and abstain, and wherein depending on output from each 
security plug-in the security service determines entitlements for the client to use with the 
protected resource; and 

the security service is located at a first computer, and the protected resource is located 
either at the first computer or at a second computer. 

2. (Previously Presented): The security system of claim 1 wherein the application container 
of claim 1 reads an application deployment description and registers the application deployment 
description within the security service. 

3. (Cancelled) 

4. (Previously Presented): The security system of claim 2 wherein the application container 
is a Web Application container. 
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5. (Cancelled) 

6. (Currently Amended): The security system of claim 1 [[5]] wherein the security service 
further includes an access controller for transferring the access request to the plurality of security 
plug-ins, and for combining the contributory decisions into an overall decision by the security 
service to permit or deny the access request. 

7. (Currently Amended): The security system of claim 1 [[5]] wherein one or more of the 
plurality of the security plug-ins represent a business function related authorization policy. 

8. -9. (Canceled) 

10. (Currently Amended): The security system of claim 1 [[5]] wherein a deny or abstain by 
any one of the plurality of security plug-ins causes the security service to deny the access request. 

1 1 . (Currently Amended): The security system of claim 1 [[5]] wherein an abstain by any one 
of the plurality of security plug-ins does not cause the security service to deny the access request. 

12. (Currently Amended): The security system of claim 1 [[5]] wherein the security service 
further includes security plug-ins that implement an audit interface for auditing the determinations 
of the plurality of access requests. 
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13.-17. (Canceled) 

18. (Currently Amended): A method of allowing a client to access a protected resource 
through an application container, the method comprising: 

receiving at the application container, which provides services to the resources it contains, 
an access request from the client to access the protected resource; 

communicating the access request from the application container to a security service with 
the access request and a callback handler, wherein the application container delegates 
authorization decisions to the security service by passing the access request and the callback 
handler to the security service when the application container receives the access request for the 
protected resource from the client; 

making a decision at the security service to permit or deny the access request, wherein a 
plurality of security plug-ins that implement an access decision interface are plugged into the 
security service; 

using the callback handler at each security plug-in to request context information from the 
application container for the access request, wherein the context information comprises one or 
more parameter values describing the access request, identity of the protected resource, and 
profile information describing the client; 

determining entitlements for the client to use with the protected resource depending on 
output from each security plug-in, wherein the plurality of security plug-ins determine roles for 
which the client is entitled, and wherein the association of the client to roles is computed 
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dynamically at runtime , and wherein each of the plurality of security plug-ins determines a 
contributory decision selected from a group comprising: permit, deny, and abstain : and 
communicating a permitted access request to the protected resource. 

1 9. (Previously Presented): The method of claim 1 8 wherein the application container of claim 
18 reads an application deployment description and registers the deployment description within 
the security service. 

20. (Canceled) 

21. (Previously Presented): The method of claim 19 wherein the application container is a 
Web Application container. 

22. (Cancelled) 

23. (Currently Amended): The method of claim 18 22- further comprising: 

transferring^ via an access controller, the access request to the plurality of security plug-ins, 
and combining the contributory decisions into an overall decision by the security service to permit 
or deny the access request. 

24. (Currently Amended): The method of claim 18 22 wherein one or more of the plurality of 
the security plug-ins represent a business function related access policy. 
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25. -26. (Canceled) 

27. (Currently Amended): The method of claim 18 32- wherein a deny or abstain by any one of 
the plurality of security plug-ins causes the security service to deny the access request. 

28. (Currently Amended): The method of claim 18 32- wherein an abstain by any one of the 
plurality of security plug-ins does not cause the security service to deny the access request. 

29. (Currently Amended): The method of claim 18 33 further comprising: 
auditing the determinations of the plurality of access decision mechanisms. 

30-41. (Canceled) 

42. (Previously Presented): The security system of claim 1, wherein computation of a dynamic 
role occurs immediately before an authorization decision for the protected resource. 

43. (Previously Presented): The security system of claim 18, wherein computation of a dynamic 
role occurs immediately before an authorization decision for the protected resource. 
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The following is an examiner's statement of reasons for allowance: The prior art does not 
teach the limitation as amended above for independent claims 1 and 18. Particularly, the prior art 
does not teach that each of the plurality of security plug-ins determines a contributory decision 
selected from a group comprising: permit, deny, and abstain . 

Any comments considered necessary by applicant must be submitted no later than the 
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue 
fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for 
Allowance." 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The 
examiner can normally be reached on 9:00am-4:30pm Mon-Thurs. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the organization 
where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, 
contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like 
assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Supervisory Patent Examiner, Art Unit 2135 



